Hi Enrique, All the "Added logfile" below are for the apache-badbots jail, not for phpmyadmin.
You should put the log filename in the [phpmyadmin] section. Regards, Dudi -----Original Message----- From: Henrique Fagundes [mailto:[email protected]] Sent: Saturday, February 15, 2020 16:39 To: Henrique Fagundes <[email protected]> Cc: Dudi Goldenberg <[email protected]>; Fail2ban Users <[email protected]> Subject: Re: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin LogPath: [phpmyadmin] enabled = true port = http,https filter = phpmyadmin action = iptables-multiport[name=phpmyadmin, port="http,https", protocol=tcp] #sendmail-whois[name=PHPMYADMIN, [email protected]] logpath = /var/log/secure maxretry = 3 LOG: 2020-02-15 10:42:38,899 fail2ban.jail [24481]: INFO Creating new jail 'apache-badbots' 2020-02-15 10:42:38,901 fail2ban.jail [24481]: INFO Jail 'apache-badbots' uses poller {} 2020-02-15 10:42:38,901 fail2ban.jail [24481]: INFO Initiated 'polling' backend 2020-02-15 10:42:38,915 fail2ban.filter [24481]: INFO maxRetry: 3 2020-02-15 10:42:38,915 fail2ban.filter [24481]: INFO findtime: 3600 2020-02-15 10:42:38,915 fail2ban.actions [24481]: INFO banTime: -1 2020-02-15 10:42:38,915 fail2ban.filter [24481]: INFO encoding: UTF-8 2020-02-15 10:42:38,916 fail2ban.filter [24481]: INFO Added logfile: '/var/log/httpd/clubenaval.org.br/www_error.log' (pos = 5204, hash = e219f0f332829bc88280b9db329549153768f73d) 2020-02-15 10:42:38,916 fail2ban.filter [24481]: INFO Added logfile: '/var/log/httpd/clubenaval.org.br/teste_error.log' (pos = 4886, hash = 485cdd7cac30d28770e02f6eef0fe7e2c75bce75) 2020-02-15 10:42:38,916 fail2ban.filter [24481]: INFO Added logfile: '/var/log/httpd/clubenaval.org.br/phpmyadmin_error.log' (pos = 3616, hash = 2faa788efe6c2b262cbd656fd3d526e8a168d5ce) 2020-02-15 10:42:38,917 fail2ban.filter [24481]: INFO Added logfile: '/var/log/httpd/clubenaval.org.br/clubesconveniados_error.log' (pos = 5198, hash = 9fe72ef587a33b67602066e13c45873e6b78ef7d) 2020-02-15 10:42:38,917 fail2ban.filter [24481]: INFO Added logfile: '/var/log/httpd/clubenaval.org.br/centenario_error.log' (pos = 5016, hash = 26b30b9f9a3df00fb63610da947057d996618dd0) 2020-02-15 10:42:38,918 fail2ban.jail [24481]: INFO Creating new jail 'vsftpd' 2020-02-15 10:42:38,919 fail2ban.jail [24481]: INFO Jail 'vsftpd' uses poller {} 2020-02-15 10:42:38,919 fail2ban.jail [24481]: INFO Initiated 'polling' backend 2020-02-15 10:42:38,926 fail2ban.filter [24481]: INFO maxRetry: 3 2020-02-15 10:42:38,926 fail2ban.filter [24481]: INFO findtime: 3600 2020-02-15 10:42:38,926 fail2ban.actions [24481]: INFO banTime: -1 2020-02-15 10:42:38,927 fail2ban.filter [24481]: INFO encoding: UTF-8 2020-02-15 10:42:38,927 fail2ban.filter [24481]: INFO Added logfile: '/var/log/vsftpd.log' (pos = 1345, hash = 6ae2e84f3a2fd1944c152a0c21907b5eedb13fcb) 2020-02-15 10:42:38,930 fail2ban.jail [24481]: INFO Jail 'phpmyadmin' started 2020-02-15 10:42:38,931 fail2ban.jail [24481]: INFO Jail 'apache-auth' started 2020-02-15 10:42:38,934 fail2ban.jail [24481]: INFO Jail 'drupal-comment' started 2020-02-15 10:42:38,936 fail2ban.jail [24481]: INFO Jail 'drupal-auth' started 2020-02-15 10:42:38,945 fail2ban.jail [24481]: INFO Jail 'apache-noscript' started 2020-02-15 10:42:38,948 fail2ban.jail [24481]: INFO Jail 'apache-overflows' started 2020-02-15 10:42:38,953 fail2ban.jail [24481]: INFO Jail 'apache-badbots' started 2020-02-15 10:42:38,963 fail2ban.jail [24481]: INFO Jail 'vsftpd' started 2020-02-15 10:42:39,156 fail2ban.actions [24481]: NOTICE [vsftpd] Restore Ban 177.124.244.58 ---- Ativado Sáb, 15 fev 2020 11:21:35 -0300 Henrique Fagundes <[email protected]> escreveu ---- > Friend, > > Follow my /etc/fail2ban/jail.conf settings: > > [INCLUDES] > before = paths-fedora.conf > > [DEFAULT] > ignoreip = 127.0.0.1/8 > ignorecommand = > > bantime = -1 > findtime = 3600 > maxretry = 3 > > backend = auto > usedns = warn > logencoding = auto > enabled = false > filter = %(__name__)s > destemail = [email protected] > sender = [email protected] > mta = sendmail > protocol = tcp > chain = INPUT > port = 0:65535 > > fail2ban_agent = Fail2Ban/%(fail2ban_version)s > > banaction = > iptables-multiport > banaction_allports = iptables-allports > > action_ = > %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", > protocol="%(protocol)s", chain="%(chain)s"] > > action_mw = > %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", > protocol="%(protocol)s", chain="%(chain)s"] > %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", > dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] > > action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", > port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] > %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", > dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] > > action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", > port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] > xarf-login-attack[service=%(__name__)s, sender="%(sender)s", > logpath=%(logpath)s, port="%(port)s"] > > action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] > %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", > dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] > > action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, > apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"] > > > action_badips = badips.py[category="%(__name__)s", > banaction="%(banaction)s", agent="%(fail2ban_agent)s"] > > action_badips_report = badips[category="%(__name__)s", > agent="%(fail2ban_agent)s"] > > action = %(action_)s > > [sshd] > port = 17169 > logpath = %(sshd_log)s > backend = %(sshd_backend)s > > [sshd-ddos] > port = 17169 > logpath = %(sshd_log)s > backend = %(sshd_backend)s > > [dropbear] > port = 17169 > logpath = %(dropbear_log)s > backend = %(dropbear_backend)s > > [selinux-ssh] > port = 17169 > logpath = %(auditd_log)s > > [phpmyadmin] > enabled = true > port = http,https > filter = phpmyadmin > action = iptables-multiport[name=phpmyadmin, port="http,https", protocol=tcp] > #sendmail-whois[name=PHPMYADMIN, [email protected]] > logpath = /var/log/secure > maxretry = 3 > > [apache-auth] > enabled = true > port = http,https > filter = apache-auth > action = iptables-multiport[name=apache-auth, port="http,https", > protocol=tcp] > #sendmail-whois[name=APACHE, [email protected]] > logpath = /var/log/httpd/*/*_error.log > maxretry = 3 > > > [drupal-comment] > enabled = true > port = http,https > filter = drupal-comment > action = iptables-multiport[name=drupal-comment, port="http,https", > protocol=tcp] > #sendmail-whois[name=DRUPAL, [email protected]] > logpath = /var/log/messages > maxretry = 3 > > [drupal-auth] > enabled = true > port = http,https > filter = drupal-auth > action = iptables-multiport[name=drupal-auth, port="http,https", > protocol=tcp] > #sendmail-whois[name=DRUPAL, [email protected]] > logpath = /var/log/messages > maxretry = 3 > > [apache-noscript] > enabled = true > port = http,https > filter = apache-noscript > action = iptables-multiport[name=apache-noscript, port="http,https", > protocol=tcp] > #sendmail-whois[name=APACHE, [email protected]] > logpath = /var/log/httpd/*/*_error.log > maxretry = 3 > > > [apache-overflows] > enabled = true > port = http,https > filter = apache-overflows > action = iptables-multiport[name=apache-overflows, port="http,https", > protocol=tcp] > #sendmail-whois[name=APACHE, [email protected]] > logpath = /var/log/httpd/*/*_error.log > maxretry = 3 > > > [apache-badbots] > enabled = true > port = http,https > filter = apache-badbots > action = iptables-multiport[name=apache-badbots, port="http,https", > protocol=tcp] > #sendmail-whois[name=APACHE, [email protected]] > logpath = /var/log/httpd/*/*_error.log > maxretry = 3 > > [openhab-auth] > > filter = openhab > action = iptables-allports[name=NoAuthFailures] > logpath = /opt/openhab/logs/request.log > > [nginx-http-auth] > port = http,https > logpath = %(nginx_error_log)s > > [nginx-limit-req] > port = http,https > logpath = %(nginx_error_log)s > > [nginx-botsearch] > port = http,https > logpath = %(nginx_error_log)s > maxretry = 2 > > [php-url-fopen] > port = http,https > logpath = %(nginx_access_log)s > %(apache_access_log)s > > [suhosin] > port = http,https > logpath = %(suhosin_log)s > > [lighttpd-auth] > port = http,https > logpath = %(lighttpd_error_log)s > > [roundcube-auth] > port = http,https > logpath = %(roundcube_errors_log)s > > [openwebmail] > port = http,https > logpath = /var/log/openwebmail.log > > [horde] > port = http,https > logpath = /var/log/horde/horde.log > > [groupoffice] > port = http,https > logpath = /home/groupoffice/log/info.log > > [sogo-auth] > port = http,https > logpath = /var/log/sogo/sogo.log > > [tine20] > logpath = /var/log/tine20/tine20.log > port = http,https > > #[drupal-auth] > #port = http,https > #logpath = %(syslog_daemon)s > #backend = %(syslog_backend)s > > [guacamole] > port = http,https > logpath = /var/log/tomcat*/catalina.out > > [monit] > port = 2812 > > logpath = /var/log/monit > > [webmin-auth] > port = 10000 > logpath = %(syslog_authpriv)s > backend = %(syslog_backend)s > > [froxlor-auth] > port = http,https > logpath = %(syslog_authpriv)s > backend = %(syslog_backend)s > > [squid] > port = 80,443,3128,8080 > logpath = /var/log/squid/access.log > > [3proxy] > port = 3128 > logpath = /var/log/3proxy.log > > [pure-ftpd] > port = ftp,ftp-data,ftps,ftps-data > logpath = %(pureftpd_log)s > backend = %(pureftpd_backend)s > > [gssftpd] > port = ftp,ftp-data,ftps,ftps-data > logpath = %(syslog_daemon)s > backend = %(syslog_backend)s > > [wuftpd] > port = ftp,ftp-data,ftps,ftps-data > logpath = %(wuftpd_log)s > backend = %(wuftpd_backend)s > > [vsftpd] > enabled = true > port = ftp,ftp-data,ftps,ftps-data > logpath = %(vsftpd_log)s > enable = true > action = iptables-multiport[name=vsftpd, port="ftp,ftp-data,ftps,ftps-data", > protocol=tcp] > #sendmail-whois[name=fail2ban-vsftpd-bruteforce, > [email protected]] > maxretry = 3 > > [assp] > port = smtp,465,submission > logpath = /var/log/mail.log > > [courier-smtp] > port = smtp,465,submission > logpath = %(syslog_mail)s > backend = %(syslog_backend)s > > [postfix] > port = smtp,465,submission > logpath = %(postfix_log)s > backend = %(postfix_backend)s > > [postfix-rbl] > port = smtp,465,submission > logpath = %(postfix_log)s > backend = %(postfix_backend)s > maxretry = 1 > > [sendmail-auth] > port = submission,465,smtp > logpath = %(syslog_mail)s > backend = %(syslog_backend)s > > [sendmail-reject] > port = smtp,465,submission > logpath = %(syslog_mail)s > backend = %(syslog_backend)s > > [qmail-rbl] > filter = qmail > port = smtp,465,submission > logpath = /service/qmail/log/main/current > > [dovecot] > port = pop3,pop3s,imap,imaps,submission,465,sieve > logpath = %(dovecot_log)s > backend = %(dovecot_backend)s > > [sieve] > port = smtp,465,submission > logpath = %(dovecot_log)s > backend = %(dovecot_backend)s > > [solid-pop3d] > port = pop3,pop3s > logpath = %(solidpop3d_log)s > > [exim] > port = smtp,465,submission > logpath = %(exim_main_log)s > > [exim-spam] > port = smtp,465,submission > logpath = %(exim_main_log)s > > [kerio] > port = imap,smtp,imaps,465 > logpath = /opt/kerio/mailserver/store/logs/security.log > > [courier-auth] > port = smtp,465,submission,imap3,imaps,pop3,pop3s > logpath = %(syslog_mail)s > backend = %(syslog_backend)s > > [postfix-sasl] > port = smtp,465,submission,imap3,imaps,pop3,pop3s > logpath = %(postfix_log)s > backend = %(postfix_backend)s > > [perdition] > port = imap3,imaps,pop3,pop3s > logpath = %(syslog_mail)s > backend = %(syslog_backend)s > > [squirrelmail] > port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks > logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log > > [cyrus-imap] > port = imap3,imaps > logpath = %(syslog_mail)s > backend = %(syslog_backend)s > > [uwimap-auth] > port = imap3,imaps > logpath = %(syslog_mail)s > backend = %(syslog_backend)s > > [named-refused] > port = domain,953 > logpath = /var/log/named/security.log > > [nsd] > port = 53 > action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", > protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] > %(banaction)s[name=%(__name__)s-udp, port="%(port)s", > protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] > logpath = /var/log/nsd.log > > [asterisk] > port = 5060,5061 > action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", > protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] > %(banaction)s[name=%(__name__)s-udp, port="%(port)s", > protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] > %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] > logpath = /var/log/asterisk/messages > maxretry = 10 > > [freeswitch] > port = 5060,5061 > action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", > protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] > %(banaction)s[name=%(__name__)s-udp, port="%(port)s", > protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] > %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] > logpath = /var/log/freeswitch.log > maxretry = 10 > > [mysqld-auth] > port = 3306 > logpath = %(mysql_log)s > backend = %(mysql_backend)s > > [mongodb-auth] > port = 27017 > logpath = /var/log/mongodb/mongodb.log > > [recidive] > logpath = > /var/log/fail2ban.log > banaction = %(banaction_allports)s > bantime = > 604800 ; 1 week > findtime = 86400 ; 1 day > > [pam-generic] > banaction = %(banaction_allports)s > logpath = %(syslog_authpriv)s > backend = %(syslog_backend)s > > [xinetd-fail] > banaction = iptables-multiport-log > logpath = %(syslog_daemon)s > backend = %(syslog_backend)s > maxretry = 2 > > [stunnel] > logpath = /var/log/stunnel4/stunnel.log > > [ejabberd-auth] > port = 5222 > logpath = /var/log/ejabberd/ejabberd.log > > [counter-strike] > logpath = > /opt/cstrike/logs/L[0-9]*.log > tcpport = > 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039 > udpport = > 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015 > action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", > protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] > %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", > protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] > > [nagios] > logpath = %(syslog_daemon)s ; nrpe.cfg may define a different > log_facility > backend = %(syslog_backend)s > maxretry = 1 > > [oracleims] > logpath = /opt/sun/comms/messaging64/log/mail.log_current > banaction = %(banaction_allports)s > > [directadmin] > logpath = /var/log/directadmin/login.log > port = 2222 > > [portsentry] > > logpath = /var/lib/portsentry/portsentry.history > maxretry = 1 > > [pass2allow-ftp] > port = ftp,ftp-data,ftps,ftps-data > knocking_url = /knocking/ > filter = apache-pass[knocking_url="%(knocking_url)s"] > logpath = %(apache_access_log)s > blocktype = RETURN > returntype = DROP > bantime = 3600 > maxretry = 1 > findtime = 1 > > [murmur] > port = 64738 > action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", > protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp] > %(banaction)s[name=%(__name__)s-udp, port="%(port)s", > protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp] > logpath = /var/log/mumble-server/mumble-server.log > > [screensharingd] > logpath = /var/log/system.log > logencoding = utf-8 > > [haproxy-http-auth] > logpath = /var/log/haproxy.log > > [slapd] > port = ldap,ldaps > filter = slapd > logpath = /var/log/slapd.log > > > Atenciosamente, > > Henrique Fagundes > Analista de Suporte Linux > [email protected] > Skype: magnata-br-rj > Linux User: 475399 > > https://www.aprendendolinux.com > https://www.facebook.com/AprendendoLinux > https://youtube.com/AprendendoLinux > https://twitter.com/AprendendoLinux > https://t.me/AprendendoLinux > https://t.me/GrupoAprendendoLinux > ______________________________________________________________________ > Participe do Grupo Aprendendo Linux > https://listas.aprendendolinux.com/listinfo/aprendendolinux > > Ou envie um e-mail para: > [email protected] > > > ---- Ativado Sáb, 15 fev 2020 10:56:55 -0300 Dudi Goldenberg > <[email protected]> escreveu ---- > > Hi, > > > > The regex is fine for > the log lines that you showed. > > > > Try to go over the rest of the jail and verify that its properly > configured. > > > > Regards, > > > > Dudi > > > > -----Original Message----- > > From: Henrique Fagundes [mailto:[email protected]] > > Sent: Saturday, February 15, 2020 15:45 > > To: Dudi Goldenberg > <[email protected]> > > Cc: Fail2ban Users > <[email protected]> > > Subject: RE: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin > > > > > Friend, > > > > In practice, it doesn't work! > > I am purposely missing the logins and does not block. > > > > I did a test with FTP and it blocks normally. > > I don't know what's going on. > > > > ---- Ativado Sáb, 15 fev 2020 10:32:34 -0300 Dudi Goldenberg > <[email protected]> escreveu ---- > Well, > > According to the test it did > work: > > > > > > Lines: 772 lines, 0 ignored, 182 matched, 590 missed [processed in > 0.08 sec] > > So you have 182 matches. > > > > > > Regards, > > > > > > Dudi > > > > > > -----Original Message----- > > > From: Henrique Fagundes [mailto:[email protected]] > > > Sent: Saturday, February 15, 2020 15:28 > To: Dudi Goldenberg > <[email protected]> > Cc: Fail2ban Users > <[email protected]> > > > Subject: RE: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin > > > Friend, > > Unfortunately, the rule you gave me didn't work! > > > > > > The log file is /var/ log /secure. > > > > > > I ran the command below: > > > > > > fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/phpmyadmin.conf > > > > > > That was the way out: > > > > > > Running tests > > > ============= > > > > > > Use failregex filter file : phpmyadmin, basedir: /etc/fail2ban > > > Use log file : /var/log/secure > > > Use encoding : UTF-8 > > > > > > > > > Results > > > ======= > > > > > > Failregex: 182 total > > > |- #) [# of hits] regular expression > > > | 1) [182] user denied: .+ from <HOST>\s*$ > > > `- > > > > > > Ignoreregex: 0 total > > > > > > Date template hits: > > > |- [# of hits] date format > > > | [772] {^LN-BEG}(?:DAY )?MON Day > %k:Minute:Second(?:\.Microseconds)?(?: ExYear)? > > > `- > > > > > > Lines: 772 lines, 0 ignored, 182 matched, 590 missed [processed in > 0.08 sec] > > Missed line(s): too many to print. Use --print-all-missed > to print all 590 lines > > Is there anything else I can do to resolve the > issue? > > > > > > ---- Ativado Sáb, 15 fev 2020 10:07:12 -0300 Dudi Goldenberg > <[email protected]> escreveu ---- > Hi, > > You should edit > /etc/fail2ban/filter.d/phpmyadmin.conf and modify the failregex line to read: > > > > > > > > failregex = user denied: .+ from <HOST>\s*$ > > The tst is a file > I created with the log lines in it for testing... > > > > > > > > After you modify phpmyadmin.conf this should work and show matches: > > > > > > > > fail2ban-regex /path/to/logfile > /etc/fail2ban/filter.d/phpmyadmin.conf > > > > > > > > Make sure you insert the real path to the log file instead of > /path/to/logfile. > > > > > > > > Regards, > > > > > > > > Dudi > > > > > > > > -----Original Message----- > > > > From: Henrique Fagundes [mailto:[email protected]] > > > > Sent: Saturday, February 15, 2020 13:26 > To: Dudi Goldenberg > <[email protected]> > Subject: RE: [Fail2ban-users] Help with Fail2Ban on > PhpMyAdmin > > Friend, > > Good Morning! Thanks for answering! > > > > I tested his regular expression and it didn't work, unfortunately. > > > > > > > > The output of my command was like this: > > > > > > > > [root@www ~]# fail2ban-regex tst > /etc/fail2ban/filter.d/phpmyadmin.conf > > > > > > > > Running tests > > > > ============= > > > > > > > > Use failregex filter file : phpmyadmin, basedir: /etc/fail2ban > > > > Use single line : tst > > > > > > > > > > > > Results > > > > ======= > > > > > > > > Failregex: 0 total > > > > > > > > Ignoreregex: 0 total > > > > > > > > Date template hits: > > > > > > > > Lines: 1 lines, 0 ignored, 0 matched, 1 missed [processed in 0.05 > sec] > > |- Missed line(s): > > > > | tst > > > > `- > > > > > > > > Is there anything else I can do to resolve this issue? > > > > > > > > I am grateful! > > > > > > > > > > > > > > > > Atenciosamente, > > > > > > > > Henrique Fagundes > > > > Analista de Suporte Linux > > > > [email protected] > > > > Skype: magnata-br-rj > > > > Linux User: 475399 > > > > > > > > https://www.aprendendolinux.com > > > > > https://www.facebook.com/AprendendoLinux > > > > https://youtube.com/AprendendoLinux > > > > https://twitter.com/AprendendoLinux > > > > https://t.me/AprendendoLinux > > > > > https://t.me/GrupoAprendendoLinux > > > > > ______________________________________________________________________ > > > > Participe do Grupo Aprendendo Linux > > > https://listas.aprendendolinux.com/listinfo/aprendendolinux > > > > > > > > Ou envie um e-mail para: > > > > [email protected] > > > > > > > > > > > > ---- Ativado Sáb, 15 fev 2020 05:24:41 -0300 Dudi Goldenberg > <[email protected]> escreveu ---- > HI, > > I pasted the wrong line.... > sorry. > > > > > > > > > > This works: > > > > > > > > > > failregex = user denied: .+ from <HOST>\s*$ > > =========== > > > root@mail:~# fail2ban-regex tst /etc/fail2ban/filter.d/test.conf > > > Running tests > ============= > > > > > > Use failregex file : /etc/fail2ban/filter.d/webmin-auth.conf > > > > > Use log file : tst > > > > > > > > > > > > > > > Results > > > > > ======= > > > > > > > > > > Failregex: 1 total > > > > > |- #) [# of hits] regular expression > > > > > | 4) [1] user denied: .+ from <HOST>\s*$ > > > > > `- > > > > > > > > > > Ignoreregex: 0 total > > > > > > > > > > Date template hits: > > > > > |- [# of hits] date format > > > > > | [1] MONTH Day > Hour:Minute:Second > > `- > > > > Lines: 1 lines, 0 ignored, 1 > matched, 0 missed > > Regards, > > Dudi > > > -----Original > Message----- > From: Henrique Fagundes [mailto:[email protected]] > > > > > Sent: Saturday, February 15, 2020 3:34 > To: fail2ban-users > <[email protected]> > > > > > Subject: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin > > > Dear Colleagues, > > I begin by apologizing for any communication error, > as I am Brazilian and I still try to adapt with the English language. > > > > > > > > > > I'm having a hard time getting Fail2Ban to work on phpmyadmin. > > > > > > > > > > I'm using CentOS 8.1.1911 and fail2ban 0.10.5-2. > > > > > My PhpMyAdmin is version 4.9.0.1. > > > > > > > > > > I noticed that PhpMyAdmin logs login failures in the “/var/log/ > secure” file. > > > > > > > > > > And he has an output like this: > > > > > > > > > > Feb 14 21:40:37 www phpMyAdmin[3982]: user denied: root > (mysql-denied) from 177.122.254.10 Feb 14 21:42:07 www phpMyAdmin[3978]: > user denied: root (mysql-denied) from 177.122.254.10 Feb 14 21:42:09 www > phpMyAdmin[3982]: user denied: root (mysql-denied) from 177.122.254.10 Feb > 14 21:48:06 www phpMyAdmin[3981]: user denied: root (mysql-denied) from > 177.122.254.10 > > So, I configured my “/etc/fail2ban/jail.conf” like this: > > > > > > > > > > [phpmyadmin] > > > > > enabled = true > > > > > port = http,https > > > > > filter = phpmyadmin > > > > > action = iptables-multiport[name=phpmyadmin, port="http,https", > protocol=tcp] sendmail-whois[name=PHPMYADMIN, [email protected]] > logpath = /var/log/secure maxretry = 3 > > And the filter configuration > file (/etc/fail2ban/filter.d/phpmyadmin.conf), the expressions are like this: > > > > > > > > > > [Definition] > > > > > denied = mysql-denied|allow-denied|root-denied|empty-denied > > > > > failregex = ^<HOST> -.*(?:%(denied)s)$ > ignoreregex = > > I > believe I am not able to correctly form the expression, as Fail2Ban is not > blocking at all. > > > > > > > > > > Could someone help me in this matter? > > > > > > > > > > I'll be very grateful. > > > > > > > > > > > > > > > _______________________________________________ > > > > > Fail2ban-users mailing list > > > > > > [email protected] > > > > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > > > > > > > > > > > > > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
